Information Security: Data Classification

Policy statement

Data classification

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels, or classifications:

Restricted data

Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data.

Restricted information is that which Missouri State has a legal, contractual, or proprietary obligation to protect. For University employees, access to restricted data elements is determined by business process. For non-university employees, access shall be determined by the University’s Custodian of Records in conjunction with the General Counsel’s office.

Private data

Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all Institutional data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.

For non-university employees, explicit approval by the University’s Records Custodian is needed in order to receive access to Private data elements. Private data elements include those which Missouri State University protects to mitigate institutional risk, or which has been categorized otherwise as Private. Acquisition or distribution of Private data by or between the University agents or employees for a legitimate purpose is allowed, provided that the information is not used in violation of applicable law or in a manner that harms or poses a reasonable threat to the security, confidentiality, or integrity of the information.

Examples: Budget information, procurement, documentation, research that has not been completed or published, vendor documentation, contracts, and BearPass Number.

Public data

Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates. Examples of Public data include directory information, press releases, course information and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction.

Calculating classification

The goal of information security is to protect the confidentiality, integrity, and availability of Institutional data. Data classification reflects the level of impact to the University if confidentiality, integrity, or availability is compromised.

If you are evaluating data you are responsible for and it does not clearly fall under the laws and regulations listed in the definition, you can apply the Confidentiality, Integrity, and Availability (CIA) criteria. (Most of the legal and regulatory requirements are driven by confidentiality and integrity concerns.)

Confidentiality: The need to strictly limit access to data to protect the University and individuals from loss.

Integrity: Data must be accurate, and users must be able to trust its accuracy.

Availability: Data must be accessible to authorized persons, entities, or devices.

In some situations, the appropriate classification may be obvious, such as when federal laws require the University to protect certain types of data (e.g. personally identifiable information). If the appropriate classification is not inherently obvious, consider each security objective using the following table as a guide.

To determine the level of protections applied to a system or data collection, base your classification on the most confidential data stored, processed, or transmitted by the system. A positive response to the highest category in ANY row is sufficient to place the data into that respective category. Even if the system stores data that could be made available in response to an open records request or information that is public, the entire system must still be protected based on the most confidential data.

The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Integrity

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Availability

Ensuring timely and reliable access to and use of information.

The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

RESTRICTED

PRIVATE

PUBLIC

Need for Confidentiality

Required (High)

Recommended (Medium)

Optional (Low)

Need for Integrity

Required (High)

Recommended (Medium)

Optional (Low)

Need for Availability

Required (High)

Recommended (Medium)

Optional (Low)

If an appropriate classification is still unclear after considering these points, contact the Information Security unit of Computer Services for assistance.

Data marking

For information that is Private or Restricted, printed material should be conspicuously marked, by cover page or page marking, to indicate the classification level.

Appendix A - Predefined Types of Restricted Information

There are several types of Restricted data based on state and federal regulatory requirements:

Authentication Verifier An Authentication Verifier is a piece of information that is held in confidence by an individual and used to prove that the person is who they say they are. In some instances, an Authentication Verifier may be shared amongst a small group of individuals. An Authentication Verifier may also be used to prove the identity of a system or service. Examples include, but are not limited to:

Electronic Protected Health Information ("ePHI") ePHI is defined as any Protected Health Information ("PHI") that is stored in or transmitted by electronic media. For the purpose of this definition, electronic media includes:

Transmission media used to exchange information already in electronic storage media. Transmission media includes, for example, the Internet, an extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks and the physical movement of removable and/or transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media because the information being exchanged did not exists in electronic form before the transmission.

Export Controlled Materials Export Controlled Materials is defined as any information or materials that are subject to United States export control regulations including, but not limited to, the Export Administration Regulations (“EAR”) published by the U.S. Department of Commerce and the International Traffic in Arms Regulations (“ITAR”) published by the U.S. Department of State. See the Export Controls Policy, Op4.01-3 Export Controls Policy, for more information.

Federal Tax Information ("FTI") FTI is defined as any return, return information or taxpayer return information that is entrusted to the University by the Internal Revenue Service. See Internal Revenue Service Publication 1075 Exhibit 2 for more information.

Payment Card Information Payment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:

Cardholder name

Service code

Expiration date

CVC2, CVV2 or CID value

PIN or PIN block

Contents of a credit card’s magnetic stripe

Personally Identifiable Education Records Personally Identifiable Education Records are defined as any education records that contain one or more of the following personal identifiers:

Name of the student

Name of the student’s parent(s) or other family member(s)

Social security number

Student number

A list of personal characteristics that would make the student’s identity easily traceable

Any other information or identifier that would make the student’s identity easily traceable

Personally Identifiable Information For the purpose of meeting security breach notification requirements, PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:

Social security number

State-issued driver’s license number

State-issued identification card number

Financial account number in combination with a security code, access code or password that would permit access to the account

Medical and/or health insurance information

Protected Health Information ("PHI") PHI is defined as "individually identifiable health information" transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium by a Covered Component, as defined in Missouri State University’s HIPAA Policy, Op7.07-6 HIPAA and Security. PHI is considered individually identifiable if it contains one or more of the following identifiers:

Name

Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)

All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89)

Telephone numbers

Fax numbers

Electronic mail addresses

Social security numbers

Medical record numbers

Health plan beneficiary numbers

Account numbers

Certificate/license numbers

Vehicle identifiers and serial numbers, including license plate number

Device identifiers and serial numbers

Universal Resource Locators (URLs)

Internet protocol (IP) addresses

Biometric identifiers, including finger and voice prints

Full face photographic images and any comparable images

Any other unique identifying number, characteristic or code that could identify an individual